Lucene search

[email protected]CVE-2022-36327

HistoryMay 18, 2023 - 6:15 p.m.

CVE-2022-36327

2023-05-1818:15:09

CWE-22

[email protected]

web.nvd.nist.gov

cve-2022

36327

path traversal

vulnerability

western digital

my cloud home

my cloud home duo

sandisk ibi

my cloud os 5

remote code execution

authentication bypass

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

74.1%

JSON

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires an authentication bypass issue to be triggered before this can be exploited.
This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.

Affected configurations

NVD

Node

westerndigitalmy_cloud_os_5Range<5.26.202

AND

westerndigitalmy_cloudMatch-

westerndigitalmy_cloud_dl2100Match-

westerndigitalmy_cloud_dl4100Match-

westerndigitalmy_cloud_ex2_ultraMatch-

westerndigitalmy_cloud_ex2100Match-

westerndigitalmy_cloud_ex4100Match-

westerndigitalmy_cloud_mirror_g2Match-

westerndigitalmy_cloud_pr2100Match-

westerndigitalmy_cloud_pr4100Match-

westerndigitalwd_cloudMatch-

Node

westerndigitalmy_cloud_home_firmwareRange<9.4.0-191

AND

westerndigitalmy_cloud_homeMatch-

Node

westerndigitalsandisk_ibi_firmwareRange<9.4.0-191

AND

westerndigitalsandisk_ibiMatch-

Node

westerndigitalmy_cloud_home_duo_firmwareRange<9.4.0-191

AND

westerndigitalmy_cloud_home_duoMatch-

CPENameOperatorVersion
westerndigital:my_cloud_os_5westerndigital my cloud os 5lt5.26.202

CPE	Name	Operator	Version
westerndigital:my_cloud_os_5	westerndigital my cloud os 5	lt	5.26.202

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Linux"
    ],
    "product": "My Cloud Home and My Cloud Home Duo",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": " 9.4.0-191",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Linux"
    ],
    "product": "ibi",
    "vendor": "SanDisk",
    "versions": [
      {
        "lessThan": " 9.4.0-191",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Linux"
    ],
    "product": "My Cloud OS 5",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": "5.26.202",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191

www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

74.1%

JSON

Related for CVE-2022-36327

nvd1 prion1 cvelist1 openvas1